book

Mastering Modern Web Penetration Testing

Name: Mastering Modern Web Penetration Testing
Author: Prakhar Prasad
ISBN: 9781785284588

by Prakhar Prasad

October 2016

Intermediate to advanced

298 pages

5h 49m

English

Packt Publishing

Read now

Unlock full access

Mastering Modern Web Penetration Testing
Table of Contents
Mastering Modern Web Penetration Testing
Credits
About the Author
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Common Security Protocols
SOPDemonstration of the same-origin policy in Google ChromeSwitching originsQuirks with Internet ExplorerCross-domain messagingAJAX and the same-origin policy
CORS
CORS headersPre-flight requestSimple request
URL encoding – percent encoding
Unrestricted charactersRestricted charactersEncoding tableEncoding unrestricted characters
Double encoding
Introducing double encodingIIS 5.0 directory traversal code execution – CVE-2001-0333Using double encoding to evade XSS filters
Base64 encoding
Character set of Base64 encodingThe encoding processPadding in Base64
Summary
2. Information Gathering
Information gathering techniquesActive techniquesPassive techniques
Enumerating Domains, Files, and Resources
Fierce
theHarvester
SubBrute
CeWL
DirBuster
WhatWeb
MaltegoWolfram Alpha
Shodan
DNSdumpster
Reverse IP Lookup – YouGetSignal
Pentest-Tools
Google Advanced Search
Summary
3. Cross-Site Scripting
Reflected XSSDemonstrating reflected XSS vulnerabilityReflected XSS – case study 1Reflected XSS – case study 2
Stored XSS
Demonstrating stored XSSStored XSS through MarkdownStored XSS through APIsStored XSS through spoofed IP addresses
Flash-based XSS – ExternalInterface.call()
HttpOnly and secure cookie flags
DOM-based XSS
XSS exploitation – The BeEF
Setting Up BeEFDemonstration of the BeEF hook and its componentsLogsCommandsRiderXssraysIPecNetwork
Summary
4. Cross-Site Request Forgery
Introducing CSRF
Exploiting POST-request based CSRF
How developers prevent CSRF?
PayPal's CSRF vulnerability to change phone numbers
Exploiting CSRF in JSON requests
Using XSS to steal anti-CSRF tokens
Exploring pseudo anti-CSRF tokens
Flash comes to the rescue
Rosetta FlashDefeating XMLHTTPRequest-based CSRF protection
Summary
5. Exploiting SQL Injection
Installation of SQLMap under Kali Linux
Introduction to SQLMap
Injection techniques
Dumping the data – in an error-based scenario
Interacting with the wizardDump everything!
SQLMap and URL rewriting
Speeding up the process!
Multi-threadingNULL connectionHTTP persistent connectionsOutput predictionBasic optimization flags
Dumping the data – in blind and time-based scenarios
Reading and writing files
Checking privilegesReading filesWriting files
Handling injections in a POST request
SQL injection inside a login-based portal
SQL shell
Command shell
Evasion – tamper scripts
Configuring with proxies
Summary
6. File Upload Vulnerabilities
Introducing file upload vulnerability
Remote code execution
Multi-functional web shellsNetcat accessible reverse shell
The return of XSS
SWF – the flashSVG images
Denial of Service
Malicious JPEG file – pixel floodMalicious GIF file – frame floodMalicious zTXT field of PNG files
Bypassing upload protections
Case-sensitive blacklist extension check bypass
MIME content type verification bypass
Apache's htaccess trick to execute benign files as PHPSetHandler methodThe AddType methodBypassing image content verification
Summary
7. Metasploit and Web
Discovering Metasploit modules
Interacting with Msfconsole
Using Auxiliary Modules related to Web Applications
Understanding WMAP – Metasploit's Web Application Security Scanner
Generating Web backdoor payload with Metasploit
Summary
8. XML Attacks
XML 101 – the basicsXML elementsXML AttributesXML DTD and entitiesInternal DTDExternal DTDEntitiesEntity declaration
XXE attack
Reading filesPHP Base64 conversion URI as an alternativeSSRF through XXERemote code executionDenial of Service through XXE
XML quadratic blowup
XML billion laughsThe quadratic blowupWordPress 3.9 quadratic blowup vulnerability – Case Study
Summary
9. Emerging Attack Vectors
Server Side Request ForgeryDemonstrating SSRFProtocol Handlers for SSRF URLsCase Study – MailChimp port scan SSRFOpen port – with non-HTTP serviceOpen port – with HTTP serviceClosed port – with HTTP service
Insecure Direct Object Reference
The basics of IDORCase studiesIDOR in Flipkart to delete saved shipping addressesIDOR in HackerOne to leak private response template data
DOM clobbering
Case study – breaking GitHub's Gist comment system through DOM clobbering
Relative Path Overwrite
Controlling CSSInternet Explorer
UI redressing
PHP Object Injection
PHP serializationPHP magic functionsObject injection
Summary
10. OAuth 2.0 Security
Introducing the OAuth 2.0 modelOAuth 2.0 rolesResource ownerClientResource serverAuthorization serverThe applicationRedirect URIAccess tokenClient IDClient secret
Receiving grants
Authorization grantImplicit grant
Exploiting OAuth for fun and profit
Open redirect – the malformed URLHijacking the OAuth flow – fiddling with redirect URIDirectory traversal tricksDomain tricksNaked domainTLD suffix confusionFlow hijack through open redirect on clientForce a malicious app installation
Summary
11. API Testing Methodology
Understanding REST APIsREST API conceptsURIsURI formatModelling of resourceStitching things togetherREST API and HTTPRequest methodsResponse codesHeaders
Setting up the testing environment
Analyzing the APIBasic HTTP authenticationAccess tokenCookiesToolsBurp SuiteREST API clientsCustom API explorers
Learning the API
Developer documentationUnderstanding requests/responsesLearning scopesLearning roles
Basic methodology to test developer APIs
Listing endpointsFiring different request methodsExploiting API bugsScope based testingCase study 1Case study 2Roles based testingCase study 1Insecure direct object reference testingCase study 2
Summary
Index

Content preview from Mastering Modern Web Penetration Testing

Dumping the data – in an error-based scenario

Let's go back to the previously discussed example, and now we shall exploit the vulnerability using the error-based technique of SQLMap to list the database user and list of databases as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --current-user

The output is shown in the following screenshot:

Dumping the data – in an error-based scenario

Impressive! The current database user pointed out by SQLMap is root.

Now let us print the list of databases present using --dbs switch as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2 --dbs

The output is shown in the following screenshot:

Once we have the list of databases available, it may be ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Hands-On Web Penetration Testing with Metasploit

Publisher Resources

ISBN: 9781785284588

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Modern Web Penetration Testing

by Prakhar Prasad

Dumping the data – in an error-based scenario

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.